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MONITORING EVENTS IN A COMPUTER NETWORK 



2 FIELD OF INVENTION 

3 The present invention relates to monitoring events in a computer network. The computer 

4 network triggering the events, wherein each event is provided with attribute values 

5 allocated to a given set of attributes. 

6 BACKGROUND OF THE INVENTION 

7 With the expansion of the Internet, electronic commerce and distributed computing, the 

8 amount of information transmitted via electronic networks is continuously increasing. 

9 Such possibilities have opened many new business horizons. However, they have also 

1 0 resulted in a considerable increase of illegal computer intrusions. 

11 An emerging trend that addresses this problem is the development of intrusion detection 

12 systems. These systems are aimed to detect attacks on the computer network by monitor- 

1 3 ing all network activities. Network activities are usually monitored by the intrusion detec- 

14 tion system as a time-ordered sequence of events wherein each event is characterized by a 

1 5 given set of attributes, so-called dimensions. Each event therefore forms an 

16 n-dimensional space. 

1 7 The monitoring of a high number of events each having many attributes triggered by an 

1 8 intrusion-detection system is a task that requires high skill and attention from the 

19 monitoring staff, since a large fraction of the triggered events is regularly reported. The 

20 challenge for an operator of the intrusion detection system is to spot those events that are 

21 indicators of a real security problem. In order to distinguish security problem events from 

22 "false positive" alarms, the operators of the intrusion detection system usually watches 
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1 out for interesting event patterns by means of a pattern detection algorithm. This pattern 

2 detection algorithm enables to detect whether an arrived event is part of a given pattern 

3 on the basis of a comparison of the attributes allocated to this given pattern and the attrib- 

4 utes assigned to the arrived event. For example, a pattern detection algorithm may deter- 

5 mine whether the events triggered by the intrusion-detection systems all involve the same 

6 source IP, i.e. involve the same attacking machine, or the same destination IP, i.e. involve 

7 the same attack machine. 

8 In order to render it possible for the operator to supervise the events triggered by the 

9 intrusion-detection system a suitable event visualization is needed. Current intrusion 

10 event presentation methods can be classified into three different groups: a first group of 

1 1 methods provides the operator of the intrusion detection system with a tabular text display 

12 of the relevant event information. For example, the operator console so-called Event 

1 3 Viewer of IBM Tivoli Enterprise Console TEC uses such a presentation method. In order 

14 to distinguish "false" positive events from real security problem events, a time- 

1 5 consuming comparison of textual information has to be carried out, making it difficult to 

16 spot interesting event patterns. 

17 A second group of prior art event visualization methods provides the operator of the 

1 8 intrusion-detection system with a graphical representation of event information, but does 

1 9 not present the arrival time of the events. This second group method renders it possible to 

20 present various relations between event attributes. Such a second group method is known 

21 from Erbacher et al., Intrusion and Misuse Detection in Large-Scale Systems, IEEE CGA 

22 (2002). This document describes a visualization method representing security events as 

23 lines between points, each point representing a specific originating IP address or a 

24 specific destination IP address. From Girardin et al., A Visual Approach for Monitoring 

25 Logs, Proc. 12 th Usenix System Administraction Conference, Boston, Massachusetts, 

26 USA, 1998, a further second group method is known using a parallel coordinate visuali- 

27 zation technique to represent different attributes of events. The disadvantage of the 

28 second group methods is that they do not display the event time, which is the most 
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1 important event attributes. This makes it difficult for operators of the intrusion-detection 

2 system to quickly orient themselves if they have not watched the display for a while. 

3 A third group of prior art event monitoring methods enables an event visualization that 

4 represents the arrival time of events as a separate event attribute. The arrival time of the 

5 event is regularly displayed as the x-axis of cross-plot. From Ma et al., Event Miner: An 

6 Integrated Mining Tool for Scalable Analysis of Event Data, May 2002, a visualization 

7 method is known using a two-dimensional mapping technique of arbitrary event attributes 

8 versa arrival time enabling an operator to analyze the event history. The disadvantage of 

9 this method is that only one of the event attributes may be plotted versus the arrival time 

10 of the events. Thus, the operators have to switch continuously between the various event 

1 1 attributes to make sure that they do not miss a significant event pattern. From Haines et 

12 al., Visualization Techniques for Event Stream Analysis, Eurographics UK Chapter 1 5 th 

13 Annual Conference, Norwich, 1997, an event visualization technique is known using a 

14 vertical stack of cross plots to display multi-event attributes versus event arrival time. 

1 5 This known visualization technique works well if only a few event attributes have to be 

16 monitored simultaneously on a screen. A problem may, however, occur if an operator of 

17 the intrusion detection system has to supervise a large number of event attributes. He then 

1 8 has to simultaneously watch a large number of different plots each displaying an event 

19 attribute versus the event arrival time. In consequence, a high attention of the operator is 

20 required to detect all the security problems derivable from the displayed events. 

21 SUMMARY OF THE INVENTION 

22 Therefore, in one aspect the present invention provides methods, apparatus and systems 

23 for monitoring events in a computer network enabling an operator of an intrusion- 

24 detection system to simultaneously monitor various event attributes versus the arrival 

25 time of the events. In an inventive method of monitoring events in a computer network, 

26 the computer network triggering the events, each event being provided with attribute 
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1 values allocated to a given set of attributes includes the steps of providing an event 

2 display with a cross plot having two coordinate axes, the x-axis presenting a time period 

3 and the y-axis presenting an attribute value range, determining a primary attribute of the 

4 events selected from the given set of attributes to be presented with its attribute values on 

5 the y-axis of the cross plot, allocating a first display label to the events indicating the 

6 attribute values of the primary attribute, providing a pattern algorithm to detect whether 

7 an arrived event is part of a given pattern on the basis of a comparison of the attributes 

8 allocated to the given pattern and of the attributes assigned to the arrived event, providing 

9 a mapping algorithm to map any attribute value of an attribute selected from the given set 

1 0 of attributes onto the y-axis of the cross plot, allocating a second display label to the 

1 1 events indicating the attribute value of the attributes being uncovered as part of the given 

12 pattern, plotting all the events arrived within the time period and including an attribute 

1 3 value allocated to a primary attribute into the cross plot with the first display label 

14 indicating the primary attribute, the position of the first display label of each event in the 

1 5 cross plot being determined on the basis of the attribute value of the primary attribute of 

16 the event and its arrival time, and plotting all the events arrived within the time period 

1 7 and being detected by the pattern algorithm as part of the given pattern into the cross plot 

1 8 with the second display label indicating the given pattern, the position of the second 

1 9 display label of each event in the cross plot being determined by the mapping algorithm 

20 on the basis of the attribute value of the attribute of the event as being uncovered as part 

21 of the given pattern and its arrival time. 

22 The inventive event visualization method only renders it necessary for an operator of the 

23 intrusion-detection system to supervise one single cross plot, which displays all relevant 

24 events. The x-axis of the cross plot of the event display indicates the arrival times of the 

25 relevant events. The y-axis represents the primary attribute values of the events in which 

26 the examiner is mainly interested. Additionally, all the events being detected by the 

27 pattern algorithm as part of an interesting event pattern are displayed in the cross plot. In 

28 order to differentiate the events associated with the primary attribute from the events 

29 being part of the interesting event pattern, a first display label is assigned to all events 
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1 including a primary attribute value and a second display label is assigned to all events 

2 indicating the attribute values of the attributes being uncovered as part of the relevant 

3 event pattern. By using the inventive method of monitoring events, the event display 

4 presents a plot of information of the main event attribute versus the arrival time of the 

5 event by using a first display label for the plotted events wherein the interesting event 

6 pattern derived from other event attributes is simultaneously presented by using the 

7 second display label for these events. If the operator of the intrusion detection system 

8 wants to investigate the events being detected as part of a given pattern in more detail, he 

9 can easily switch to the corresponding event attribute by selecting a mark of the second 

1 0 display label in the cross plot. 

11 In an advantageous embodiment, the attribute values and the arrival time of a new event 

12 are recorded, on the basis of the recorded attribute values of the event it is determined 

1 3 whether or not the newly arrived event includes an attribute value of the primary attribute 

14 and if the newly arrived event includes such an attribute value, the x-axis of the cross plot 

1 5 is shifted so that the time period being presented on the x-axis covers the arrival time of 

16 the event so that all events arrived within the shifted time period may be plotted into the 

17 cross plot with the first display label indicating their primary attribute values. This 

1 8 performance enables a fast display of the events including the primary attribute. 

19 BRIEF DESCRIPTION OF THE DRAWINGS 

20 The foregoing and other aspects, features and aspects and advantages of the present 

21 invention will become more apparent from the following detailed description of the 

22 present invention when taken in conjunction with the accompanied drawings, in which: 

23 Fig. 1 is a conceptual view on the inventive method of monitoring events in a computer 

24 network; 
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1 Fig. 2 is an inventive processing flow to display a newly arrived event; 

2 Fig. 3 is a processing flow for a user input to switch the primary attribute of the events to 

3 be displayed; 

4 Fig. 4 is a processing flow for a user input to select a specific event to be displayed in 

5 detail; and 

6 Fig. 5 is a data-flow diagram disclosing the functional components involved in generating 

f 

7 the inventive event visualization. 

8 DETAILED DESCRIPTION OF THE INVENTION 

9 The present invention provides methods, systems and apparatus for monitoring events in 

10 a computer network enabling an operator of an intrusion-detection system to simultane- 

1 1 ously monitor various event attributes versus the arrival time of the events. Careful 

12 logging network activities is essential to meet the requirements of high security and 

1 3 optimal resource availability. However, detecting break-in attempts within the network 

14 activities is a difficult task. Making the distinctions between misuse and normal use and 

1 5 identifying intrusions using novel attack techniques is difficult. Although the invention 

1 6 generally deals with an improved visual approach for monitoring events triggered by one 

17 or more intrusion detection systems in a computer network, the inventive technique may 

1 8 also be useful for displaying other types of events, not just intrusion events. 

19 The monitoring of events, in particular intrusion events, is a task that requires high skill 

20 and attention from the monitoring staff. The reason for this is that a large fraction of the 

21 reported events are simply so-called "false" positive alarms. The challenge for the opera- 

22 tor is therefore to spot those events that are associated with a real security problem. In 

23 order to identify such security events, the operator of the intrusion detection system is on 
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1 the one hand interested in continuously watching a main characteristic of the incoming 

2 events and on the other hand to uncover interesting event patterns. Intrusion detection 

3 systems normally generate events provided with attribute values allocated to a given set 

4 of attributes to supervise the network activities. These attributes are frequently called 

5 dimensions. 

6 In an example embodiment of the inventive method of monitoring events in a computer 

7 network, the computer network triggering the events, each event being provided with 

8 attribute values allocated to a given set of attributes includes the steps of providing an 

9 event display with a cross plot having two coordinate axes, the x-axis presenting a time 

1 0 period and the y-axis presenting an attribute value range, determining a primary attribute 

1 1 of the events selected from the given set of attributes to be presented with its attribute 

12 values on the y-axis of the cross plot, allocating a first display label to the events indicat- 

1 3 ing the attribute values of the primary attribute, providing a pattern algorithm to detect 

14 whether an arrived event is part of a given pattern on the basis of a comparison of the 

1 5 attributes allocated to the given pattern and of the attributes assigned to the arrived event, 

16 providing a mapping algorithm to map any attribute value of an attribute selected from 

17 the given set of attributes onto the y-axis of the cross plot, allocating a second display 

18 label to the events indicating the attribute value of the attributes being uncovered as part 

19 of the given pattern, plotting all the events arrived within the time period and including an 

20 attribute value allocated to a primary attribute into the cross plot with the first display 

2 1 label indicating the primary attribute, the position of the first display label of each event 

22 in the cross plot being determined on the basis of the attribute value of the primary attrib- 

23 ute of the event and its arrival time, and plotting all the events arrived within the time 

24 period and being detected by the pattern algorithm as part of the given pattern into the 

25 cross plot with the second display label indicating the given pattern, the position of the 

26 second display label of each event in the cross plot being determined by the mapping 

27 algorithm on the basis of the attribute value of the attribute of the event as being uncov- 

28 ered as part of the given pattern and its arrival time. 
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1 An inventive event visualization method only renders it necessary for an operator of the 

2 intrusion-detection system to supervise one single cross plot, which displays all relevant 

3 events. The x-axis of the cross plot of the event display indicates the arrival times of the 

4 relevant events. The y-axis represents the primary attribute values of the events in which 

5 the examiner is mainly interested. Additionally, all the events being detected by the 

6 pattern algorithm as part of an interesting event pattern are displayed in the cross plot. In 

7 order to differentiate the events associated with the primary attribute from the events 

8 being part of the interesting event pattern, a first display label is assigned to all events 

9 including a primary attribute value and a second display label is assigned to all events 

1 0 indicating the attribute values of the attributes being uncovered as part of the relevant 

1 1 event pattern. By using the inventive method of monitoring events, the event display 

12 presents a plot of information of the main event attribute versus the arrival time of the 

1 3 event by using a first display label for the plotted events wherein the interesting event 

14 pattern derived from other event attributes is simultaneously presented by using the 

1 5 second display label for these events. If the operator of the intrusion detection system 

16 wants to investigate the events being detected as part of a given pattern in more detail, he 

1 7 can easily switch to the corresponding event attribute by selecting a mark of the second 

1 8 display label in the cross plot. 

19 According to an advantageous embodiment, the attribute values and the arrival time of a 

20 new event are recorded, on the basis of the recorded attribute values of the event it is 

21 determined whether or not the newly arrived event includes an attribute value of the 

22 primary attribute and if the newly arrived event includes such an attribute value, the 

23 x-axis of the cross plot is shifted so that the time period being presented on the x-axis 

24 covers the arrival time of the event so that all events arrived within the shifted time 

25 period may be plotted into the cross plot with the first display label indicating their 

26 primary attribute values. This performance enables a fast display of the events including 

27 the primary attribute. 

28 According to a further advantageous embodiment, it is determined on the basis of a 
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1 recorded attribute value of a newly arrived event whether or not the newly arrived event is 

2 part of the given pattern on the basis of a comparison of the attributes allocated to a given 

3 pattern and of the attributes assigned to the arrived event. If the newly arrived event 

4 includes an attribute value of the given pattern, the newly arrived event is added to the 

5 previous events being detected as part of the given pattern and all the events being associ- 

6 ated with the given pattern are redrawn in the cross plot. This technique enables a fast 

7 display of the events associated with an interesting event pattern. 

8 Moreover, if a newly arrived event does not include an attribute value of the given pattern 

9 it is advantageous to determine on the basis of recorded attribute values of all previous 

1 0 arrived events by means of the pattern algorithm whether or not a newly arrived event is 

1 1 part of a new pattern on the basis of a comparison of the attributes allocated to the new 

12 pattern and of the attributes assigned to the arrived events. If the newly arrived event 

1 3 forms a new pattern together with the previously recorded events, a third display label is 

14 allocated to the events indicating the attribute values of the attributes being uncovered as 

1 5 part of the new pattern. Then all the events being detected by means of the pattern 

16 algorithm as part of the new pattern are plotted into the cross plot with a third display 

1 7 label indicating the new pattern. This technique enables that the event display always 

1 8 presents all event patterns in all attribute dimensions independent from the actually 

1 9 selected dimension. 

20 Moreover, according to another advantageous embodiment, if the an operator wants to 

21 change the primary attribute to be displayed on the event display and therefore switches to 

22 another event attribute, all the events labels are removed from the cross plot. Then a 

23 further display label is allocated to the events indicating the attribute values of the new 

24 primary attribute. Finally all the events arrived within the time period presented on the 

25 x-axis of the cross plot and including an attribute value of the new primary attribute are 

26 plotted into the cross plot with the further display label indicating the new primary attrib- 

27 ute. This technique enables the operator a fast change between interesting attributes of 

28 events triggered by the computer network. 
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1 According to another advantageous embodiment, if the operator selects one of the events, 

2 e.g. by moving the cursor near or over the plotted event display label, all the attribute 

3 values recorded for this event are plotted into the cross plot with their respective display 

4 labels. Moreover, textual information associated with the selected event may be displayed 

5 on the event display. This technique enables the operator to quickly obtain all the infor- 

6 mation necessary to evaluate an interesting event. 

7 According to another advantageous embodiment, the pattern algorithm is suitable to 

8 perform multi-attribute pattern recognition so that various interesting event patterns may 

9 be simultaneously displayed in the cross plot. In order to improve the visualization of the 

10 pattern, it is further advantageous that all the events uncovered as part of the pattern are 

1 1 clustered by a corresponding display label to distinguish the interesting event pattern from 

12 other patterns. The presentation of the events is further improved by using display labels 

13 for .indicating the events in the cross plot including a specific color and/or a specific mark 

14 layout. 

15 It is an aspect of present intrusion detection visualization techniques to display event 

16 information in such a way that it makes easy for an operator to distinguish false positive 

1 7 events from events belonging to a security problem. The inventive visualization 

1 8 technique, which is detailed below performs a visual fusion of multi-event attributes on a 

19 single display. The inventive method improves the state of the art by helping the operator 

20 to become aware of all relevant event patterns while looking only at a single monitor 

2 1 screen without the need to cycle around through multiple displays. 

22 According to the invention, events which are triggered in a computer network, each event 

23 being provided with values allocated to a given set of dimensions, are monitored with a 

24 cross plot having two coordinate axes, the x-axis presenting a time period and the y-axis 

25 presenting a selected dimension value range. The operator determines a primary dimen- 

26 sion of the events selected from the given set of dimensions to be presented with its 
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1 dimension values on the y-axis of the cross plot. This primary dimension is associated 

2 with a first unique label, advantageously a unique color or a unique mark layout. Moreo- 

3 ver, it is advantageous that each dimension of the given set of dimensions is associated 

4 with a unique label. Moreover, a pattern algorithm is provided in the event monitoring 

5 device to detect whether an arrived event is part of a given pattern on the basis of a 

6 comparison of the dimensions allocated to the given event pattern and the dimensions 

7 assigned to an arrived event. It is advantageous that the pattern algorithm is able to simul- 

8 taneously detect a multitude of event patterns. Moreover, the event monitoring device is 

9 provided with a mapping algorithm to map any dimension value of a dimension selected 

10 from the given set of dimensions onto the dimension value range of the selected primary 

1 1 dimension presented on the y-axis of the cross plot. 

12 The event visualization is performed in that all events arrived within the time period 

13 presented on the x-axis of the cross plot and including a dimension value allocated to the 

14 primary dimension are plotted into the cross plot with the corresponding display label 

1 5 indicating the primary dimension. The position of the display label of each plotted event 

16 is determined on the basis of the corresponding dimension value of the primary dimen- 

17 sion of the event and its arrival time. Further, all the events that arrived within the time 

1 8 period presented on the x-axis and being detected by means of a pattern algorithm as part 

19 of the given pattern, are also plotted into the cross plot with a unique second display label 

20 indicating the given pattern. The second display label indicating the pattern is advanta- 

21 geously an additional mark layout combining all the events corresponding to the pattern 

22 in the cross plot. The position of the second display label of pattern events in the cross 

23 plot is determined by the mapping algorithm on the basis of the dimension values of the 

24 dimensions of the events being uncovered as part of the pattern and their arrival time. 

25 Figure 1 presents a series of eight events E n to En+ 8 being recorded one after the other by 

26 the inventive event visualization device. Each event is associated with a set of dimensions 

27 p, three dimensions pi to p3 being indicated. Figure 1 shows a time vector on which the 

28 arrival time of each event E n to En+8 is marked. Below the time vector, Figure 1 further 
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1 shows three cross plots, the x-axis of each cross-plot presenting a time period and the 

2 y-axis of each cross-plot presenting a dimension value range for dimensions pi to p3, 

3 respectively. In the first cross plot, all the events arrived within the time period and 

4 including a dimension value allocated to the dimension pi are plotted with a first color. 

5 The same applies to all the events including a dimension value allocated to the dimension 

6 p2 in the second cross plot and to all the events including a dimension value allocated to 

7 the dimension p3 in the third cross plot. 

8 In the embodiment presented in Figure 1 , the operator has determined dimension pi of 

9 the recorded events as the primary dimension. In consequence the pattern algorithm 

10 explores whether any of the dimensions pi to p3, are covered by a given pattern. For 

1 1 example the pattern algorithm examines whether all the events involve the same source 

12 IP and the same destination IP. All the events uncovered as part of the given pattern are 

13 connected with lines, as shown in the second cross plot and the third cross plot. 

14 All the three cross plots pi to p3 are finally combined to one single cross plot shown at 

1 5 the bottom of Figure 1 , wherein all the events arrived within the time period and includ- 

16 ing a dimension value allocated to the primary dimension pi are plotted with the associ- 

1 7 ated unique color and mark layout. Further, all the events arrived within the time period 

1 8 and being detected by the pattern algorithm as part of the given pattern, are plotted into 

1 9 the cross plot with their unique colors indicating the respective dimensions of the pattern 

20 wherein all the events of the pattern are connected with lines. 

21 The inventive method of event visualization enables the operator with a single view onto 

22 the x-y coordinate system to monitor all the relevant events occurring in a computer 

23 network. The inventive technique provides the possibility that the operator may look at 

24 any time at a plot of information dealing with one primary event dimension. These events 

25 are plotted with a unique display label. Moreover, all the interesting event patterns of the 

26 other dimension plots superimpose this primary dimension plot indicated by their corre- 

27 sponding unique display labels. 
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1 Figure 2 presents a processing flow for a newly arrived event. If a new event En arrives 

2 (step SI), the dimension values and arrival time of the newly arrived event are recorded. 

3 Furthermore, on the basis of the recorded dimension values, it is determined whether or 

4 not the newly arrived event includes a dimension value of the primary dimension. If the 

5 newly arrived event includes a dimension value of the primary dimension, in step 2 the 

6 event display is shifted to make room for the plot of the newly arrived event, i.e. the 

7 x-axis of the event display is shifted so that the time period presented on the x-axis of the 

8 plot covers the arrival time of the newly arrived event. Moreover, all the events which are 

9 recorded before the new time period presented on the x-axis are removed. This also 

10 applies to all the patterns without any current events within the time period presented on 

11 the x-axis of the cross plot. In the next step S3, the newly arrived event is plotted into the 

12 cross plot with the unique color associated with the primary dimension. Then in step 4, on 

13 the basis of the recorded dimension value of all previously arrived events, it is determined 

14 by means of the pattern algorithm whether the newly arrived event is part of the given 

1 5 pattern on the basis of a comparison of the dimensions allocated to the given pattern and 

16 the dimensions assigned to the newly arrived event. If the newly arrived event includes a 

17 dimension value of the given pattern, the event is added in step 5 to the previous events 

18 being detected as part of the given pattern and all these events being associated with the 

1 9 given pattern are redrawn in the cross plot. 

20 If the newly arrived event does not include a dimension value of the given pattern, it is 

21 determined in step S6 on the basis of the recorded dimension values of the previously 

22 arrived events by means of the pattern algorithm whether or not the newly arrived event is 

23 part of a new pattern on the basis of a comparison of the dimensions allocated to the new 

24 pattern and the dimension values assigned to the arrived event. If the newly arrived event 

25 forms a new pattern together with the previously recorded events, all the events detected 

26 as part of the new pattern are plotted into the cross plot with their unique colors corre- 

27 sponding to the respective dimensions (step S7). If no new pattern is detected, the 

28 program flow is terminated (step S8). 
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1 Figure 3 shows a program flow enabling the operator to change the primary dimension to 

2 be displayed. In a first step SI 1 , the operator switches the primary dimension to be 

3 displayed. In the next step SI 2, the new primary dimension is selected. The program then 

4 clears the display (step S 1 3) and plots all the events arrived within the time period and 

5 including a dimension value allocated to the new primary dimension into the cross plot 

6 with a corresponding display label indicating the new primary dimension (step SI 4). 

7 Then, all the detected patterns are also plotted into the cross plot (step S 1 5). 

8 If the operator intends to investigate the context of the pattern in more detail, a program 

9 flow may take place as shown in Figure 4. The operator may move the cursor to a plotted 

10 dot in the display and selected this dot (step S21). In the next step S22, the program plots 

1 1 all the dimension information into the cross plot corresponding to the selected event. 

12 Further, a full picture of the event is displayed in a further step S23 by presenting a 

1 3 textual representation of all the event properties. The textual representation of the event 

14 properties can be provided either in a separate window or by labeling all the displayed 

1 5 event dots. The step S23 may be triggered separately by the operator, for example, with a 

1 6 further push of a mouse key, when the cursor controlled by the mouse is located at the 

1 7 plotted dot. It is possible that the operator may select multiple events, for example, by 

18 shift clicking. 

19 Figure 5 shows a data flow diagram presenting the functional components involved in the 

20 inventive event visualization technique. The central device 1 is the event 

21 dimension/display mapping component. The central device 1 takes the following informa- 

22 tion as an input: Information on detected event patterns from a pattern detector 2. Further, 

23 mapping definition information as input from a corresponding mapping database 3. This 

24 information specifies a function for each event dimension that maps any event dimension 

25 value into a value range of the y-axis of the corresponding event display x-y coordinate 

26 system. In order to carry out this mapping performance, the mapping definition informa- 

27 tion specifies a family of functions m with individual functions mansion: domaindimension - > 
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1 Z. Further, the central device 1 receives information on the current selected primary event 

2 dimension 4 to be displayed and information on the current event from the event database 

3 5. The event database 5 is also connected to the pattern detector 2. On the basis of the 

4 input information, the central device 1 determines the events and the patterns to be 

5 displayed and output the data to be displayed to the event and pattern display 6. The event 

6 and pattern display 6 enables an interaction with the operator, the operator interaction 

7 may affect the event database 5 and/or the selected dimension 4. 

8 Figure 1 of the present application shows as an example a linear pattern, i.e. all dots are 

9 located on a single row which is detected by the pattern algorithm and visualized. 

10 However, also more complex dimension patterns can be detected by the pattern detection 

1 1 algorithm and be displayed in a similar manner, as shown in Figure 1 . To present a 

12 complex pattern, the display technique may highlight the involved event dots and possi- 

1 3 bly connect them with a polygon line to emphasize the pattern. The inventive method not 

14 only performs "within dimension" patterns, but also may use an algorithm to detect multi- 

1 5 dimension patterns. The pattern detection algorithm might further use background infor- 

16 mation such as the operating system, vulnerabilities of the attacked machine as well as 

17 other information gathered from a network security scan. It is also possible to integrate 

1 8 such event background information as additional displayable event dimensions. 

1 9 A problem with plotting information on multi-dimensions into a single cross plot may be 

20 that the dots can be clustered and occlude each other. To reduce such a clustering of the 

21 displayed dimensions, it may be possible to assign a unique y-position to each dimension. 

22 Variations described for the present invention can be realized in any combination desir- 

23 able for each particular application. Thus particular limitations, and/or embodiment 

24 enhancements described herein, which may have particular advantages to a particular 

25 application need not be used for all applications. Also, not all limitations need be imple- 

26 mented in methods, systems and/or apparatus including one or more concepts of the 

27 present invention. 
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1 The present invention can be realized in hardware, software, or a combination of 

2 hardware and software. A visualization tool according to the present invention can be 

3 realized in a centralized fashion in one computer system, or in a distributed fashion where 

4 different elements are spread across several interconnected computer systems. Any kind 

5 of computer system - or other apparatus adapted for carrying out the methods and/or 

6 functions described herein - is suitable. A typical combination of hardware and software 

7 could be a general purpose computer system with a computer program that, when being 

8 loaded and executed, controls the computer system such that it carries out the methods 

9 described herein. The present invention can also be embedded in a computer program 

10 product, which comprises all the features enabling the implementation of the methods 

1 1 described herein, and which - when loaded in a computer system - is able to carry out 

12 these methods. 

1 3 Computer program means or computer program in the present context include any 

14 expression, in any language, code or notation, of a set of instructions intended to cause a 

15 system having an information processing capability to perform a particular function 

16 either directly or after conversion to another language, code or notation, and/or reproduc- 

1 7 tion in a different material form. 

1 8 Thus the invention includes an article of manufacture which comprises a computer usable 

19 medium having computer readable program code means embodied therein for causing a 

20 function described above. The computer readable program code means in the article of 

21 manufacture comprises computer readable program code means for causing a computer to 

22 effect the steps of a method of this invention. Similarly, the present invention may be 

23 implemented as a computer program product comprising a computer usable medium 

24 having computer readable program code means embodied therein for causing a a function 

25 described above. The computer readable program code means in the computer program 

26 product comprising computer readable program code means for causing a computer to 

27 effect one or more functions of this invention. Furthermore, the present invention may be 
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1 implemented as a program storage device readable by machine, tangibly embodying a 

2 program of instructions executable by the machine to perform method steps for causing 

3 one or more functions of this invention. 

4 It is noted that the foregoing has outlined some of the more pertinent objects and embodi- 

5 ments of the present invention. This invention may be used for many applications. Thus, 

6 although the description is made for particular arrangements and methods, the intent and 

7 concept of the invention is suitable and applicable to other arrangements and applications. 

8 It will be clear to those skilled in the art that modifications to the disclosed embodiments 

9 can be effected without departing from the spirit and scope of the invention. The 

1 0 described embodiments ought to be construed to be merely illustrative of some of the 

1 1 more prominent features and applications of the invention. Other beneficial results can 

12 be realized by applying the disclosed invention in a different manner or modifying the 

1 3 invention in ways known to those familiar with the art. 
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